Surge in MOVEit Transfer Scanning Could Signal Emerging Threat Activity

GreyNoise has detected a significant increase in scanning activity targeting MOVEit Transfer systems, starting May 27, 2025. Daily scanning IPs surged from fewer than ten to over 300 within two days, indicating potential preparatory actions for exploitation. While no specific threat actor or malware family is currently attributed, the pattern mirrors previous campaigns targeting managed file transfer vulnerabilities. Organizations utilizing MOVEit Transfer should treat this activity as a high-severity indicator of compromise risk. Immediate mitigation steps include verifying patch levels, isolating affected systems if necessary, monitoring network traffic for unusual outbound connections, and reviewing logs for unauthorized access attempts. Proactive threat hunting is recommended to identify any successful exploitation attempts stemming from this reconnaissance phase. Continued monitoring is essential as this surge may precede a broader ransomware or data exfiltration campaign targeting unpatched instances globally.

GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day. But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 29.

GreyNoise has detected a significant increase in scanning activity targeting MOVEit Transfer systems, starting May 27, 2025. Daily scanning IPs surged from fewer than ten to over 300 within two days, indicating potential preparatory actions for exploitation. While no specific threat actor or malware family is currently attributed, the pattern mirrors previous campaigns targeting managed file transfer vulnerabilities. Organizations utilizing MOVEit Transfer should treat this activity as a high-severity indicator of compromise risk. Immediate mitigation steps include verifying patch levels, isolating affected systems if necessary, monitoring network traffic for unusual outbound connections, and reviewing logs for unauthorized access attempts. Proactive threat hunting is recommended to identify any successful exploitation attempts stemming from this reconnaissance phase. Continued monitoring is essential as this surge may precede a broader ransomware or data exfiltration campaign targeting unpatched instances globally. GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day. But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 29. GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day. But on May 27, that number spiked to over 100 unique IPs, followed by 319 IPs on May 29.